Configure IKE2 site to site vpn between cisco router and fortigate

Mohammed Umer
Mohammed Umer used Ask the Experts™
on
Dears;
I have FG 100D and i need to create a IPSec site to site using IKEV2 , FG has a static IP but Cisco router has a dynamic IP.
IS this configuration achievable?


Regards;
Mohammed
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Distinguished Expert 2017
Commented:
Yes, that would mean the cisco has to initiate the VPN connection.
The setting on the fortigate can not require a wan IP meaning the site to site VPN is open to all provided they have the LAN to LAN and the the pre share key, group rules
To maintain the VPN active,you have to have activity/ping from the Cisco side .......

Cisco
Peer ID fortigate wan
Cisco Local LAN
Fortigate Remote LAN

Fortigate
From any source
Fortigate local LAN
Cisco remote LAN

Then match the settings for encapsulating/encryption and group 1,2,3 768,1024,etc
Key lifetime, and refresher...

Set the parameters on one side, in your case the fortigate, then match it in the Cisco VPN setup...

Cisco has several examples of Cisco to fortigate as well as fortigate has examples of VPNs to Cisco.
Garry GlendownConsulting and Network/Security Specialist
Commented:
As Arnold already wrote, the Cisco router will need to initiate the connection setting it up is typically pretty easy, depending on the OS version on the FortiGate the Wizard will make it even easier (though you may want or need to change to custom VPN once you ran through the Wizard). Cisco has a lot of manual steps of course, with configuring the phase 1/phase 2 parameters, crypto maps etc. ... typically the setup shouldn't take more than 15-30 minutes with anybody who knows both systems ...

Here are some links that could help:
http://cookbook.fortinet.com/ipsec-vpn-forticlient/ - Fortinet end
http://www.petenetlive.com/KB/Article/0000933 - one sample setup, for Cisco/Cisco VPN, but most settings are usable for your case
nociSoftware Engineer
Distinguished Expert 2018
Commented:
instead of a IP pear ID try the so called DNS name (doesn't need to exist or email format, also not required to exist) but both should be the same on both sides.  This makes it feasable to have multiple preshared keys for multiple roaming VPN's.
(Unless cisco cannot handle those ..., not sure about a possible setting there).
nociSoftware Engineer
Distinguished Expert 2018

Commented:
Solutions as well as additions have been provided.

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial